mirror of
https://github.com/pomerium/pomerium.git
synced 2025-05-01 11:26:29 +02:00
c886b924e7
* authenticate: set cookie secure as default. * authenticate: remove single flight provider. * authenticate/providers: Rename “ProviderData” to “IdentityProvider” * authenticate/providers: Fixed an issue where scopes were not being overwritten * proxy/authenticate : http client code removed. * proxy: standardized session variable names between services. * docs: change basic docker-config to be an “all-in-one” example with no nginx load. * docs: nginx balanced docker compose example with intra-ingress settings. * license: attribution for adaptation of goji’s middleware pattern.
80 lines
2.7 KiB
Go
80 lines
2.7 KiB
Go
package proxy // import "github.com/pomerium/pomerium/proxy"
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"time"
|
|
|
|
"github.com/golang/protobuf/ptypes"
|
|
|
|
"github.com/pomerium/pomerium/internal/sessions"
|
|
pb "github.com/pomerium/pomerium/proto/authenticate"
|
|
)
|
|
|
|
// AuthenticateRedeem makes an RPC call to the authenticate service to creates a session state
|
|
// from an encrypted code provided as a result of an oauth2 callback process.
|
|
func (p *Proxy) AuthenticateRedeem(code string) (*sessions.SessionState, error) {
|
|
if code == "" {
|
|
return nil, errors.New("missing code")
|
|
}
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Second)
|
|
defer cancel()
|
|
r, err := p.AuthenticatorClient.Authenticate(ctx, &pb.AuthenticateRequest{Code: code})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
expiry, err := ptypes.Timestamp(r.Expiry)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &sessions.SessionState{
|
|
AccessToken: r.AccessToken,
|
|
RefreshToken: r.RefreshToken,
|
|
IDToken: r.IdToken,
|
|
User: r.User,
|
|
Email: r.Email,
|
|
RefreshDeadline: (expiry).Truncate(time.Second),
|
|
LifetimeDeadline: extendDeadline(p.CookieLifetimeTTL),
|
|
ValidDeadline: extendDeadline(p.CookieExpire),
|
|
}, nil
|
|
}
|
|
|
|
// AuthenticateRefresh makes an RPC call to the authenticate service to attempt to refresh the
|
|
// user's session. Requires a valid refresh token. Will return an error if the identity provider
|
|
// has revoked the session or if the refresh token is no longer valid in this context.
|
|
func (p *Proxy) AuthenticateRefresh(refreshToken string) (string, time.Time, error) {
|
|
if refreshToken == "" {
|
|
return "", time.Time{}, errors.New("missing refresh token")
|
|
}
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Second)
|
|
defer cancel()
|
|
r, err := p.AuthenticatorClient.Refresh(ctx, &pb.RefreshRequest{RefreshToken: refreshToken})
|
|
if err != nil {
|
|
return "", time.Time{}, err
|
|
}
|
|
|
|
expiry, err := ptypes.Timestamp(r.Expiry)
|
|
if err != nil {
|
|
return "", time.Time{}, err
|
|
}
|
|
return r.AccessToken, expiry, nil
|
|
}
|
|
|
|
// AuthenticateValidate makes an RPC call to the authenticate service to validate the JWT id token;
|
|
// does NOT do nonce or revokation validation.
|
|
// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
|
|
func (p *Proxy) AuthenticateValidate(idToken string) (bool, error) {
|
|
if idToken == "" {
|
|
return false, errors.New("missing id token")
|
|
}
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Second)
|
|
defer cancel()
|
|
r, err := p.AuthenticatorClient.Validate(ctx, &pb.ValidateRequest{IdToken: idToken})
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
return r.IsValid, nil
|
|
}
|
|
|
|
func extendDeadline(ttl time.Duration) time.Time {
|
|
return time.Now().Add(ttl).Truncate(time.Second)
|
|
}
|